The In-security of Infosecurity
Infosecurity Europe has packed its bags and left Earls Court for the last time. Next year’s show will move back to Olympia, later in the year on 2nd to 4th June. I posted a couple of blog posts from the show this week which focused on the main themes of the show and how things have moved on from last year. But, having spent three days at InfoSec I was struck by how taken for granted a lot of the ‘security’ we are surrounded by is.
A great example of this was the sheer amount of unattended personal property that was on display. I tweeted a photo of one vendor (who shall remain nameless) who had left their stand store-room open for quite some time. Notice the combination lock on the door though. Wherever one looked there was a laptop, tablet or phone just waiting to be plucked from its out of sight owner. Other security problems I noticed were people reading restricted documents or talking about what I assume were confidential business dealings on the phone or in plain sight of the general public. A number of demo systems showing personal or confidential business data, and a fair few shoulder-surfing opportunities from one-fingered-password-typers. Yes, I did see you type “qwerty” as your password.
Even though it isn't perfect, it’s still a relatively safe event. A remarkable achievement considering the conference part had its fair share of impressive hacking demo’s, even some that extend to attendees mobile phones or the show wireless network. But luckily nothing on the scale of compromise usually seen at the hard-core conferences like Defcon or Blackhat, where there seems to be an unwritten rule about hacking as much of the supporting infrastructure as possible.
Having said that, I’m sure many attendees didn’t check to see if the WiFi network they were connecting too was the legitimate show network and not a rogue access point. You didn’t did you? Or perhaps didn’t use their VPN connection whilst on that public WiFi; rule 1 surely, especially at a security conference.
All of these hacking demonstrations show intent, in these cases intent to make people aware of the risks inherent in the use of technology, but there’s always a more malicious intent that could be unleashed by anyone who wants access to your data, or steal your property.
The lack of awareness shown by some people at InfoSec was, at most, disappointing. Or to put it another way – a facepalm moment. But remember, it’s only through seeing and understanding these weaknesses that we learn how to protect and prevent against them being exploited; and luckily learning about security is one of the founding principles of the show.
See you there next year.